Showing posts from December, 2013

ADVANCED Access Lists (ACL) Configuration

TIP: ACL is applied directly to the interface using the "ip access-group" command:
(config-subif)#ip access-group EXTENDED_OR_STANDARD_ACL [in | out]
TIP: Watch out not to ban the routing protocol traffic!!! You might need to add this to your filter ACL:
(config-ext-nacl)#permit ospf any any
TIP: deny any any doesn't affect the locally generated traffic on the router

It's enough to configure the extended ACL, and hit a question mark when you want to define a PORT, just to realize that there is an entire world of ACL configuration options that we never knew about.

One of the awesome features is playing with the ESTABLISHED attribute, which means - allow back the traffic from the hosts TCP session has already been established with. In this example we're allowing back in the TELNET and HTTP traffic to HOST
(config-ext-nacl)#permit tcp any range 80 23  host established

STEP 1: define the time range using the "time-range TIMERA…

CCIE Blueprint v5 announced

As we've been waiting for, the new v5 Blueprint has been announced.

Starting from June the 4th 2014 the CCIE exam content changes, so if you've been preparing it for a while - you might want to set a date! I've got 3rd of March booked, so wich me luck :)

More details about the CCIE Exam content updates:

IP SLA - Monitor the Network Performance

Probably most typical usage of IP SLA is to measure the and UDP Jitter and Echo, to make sure that the path is good enough to send the sensitive VoIP traffic. Two sides need to be configured, CLIENT and SERVER (RESPONDER).
IP SLA can be configured without configuring a specific PROBE, just configure sending a generated packet to the  RESPONDER, where the RESPONDER is configured to respond with a TIME STAMP information, so the source can calculate the performance values. CAREFULL with the times, configure NTP if you're not certain the devices are synced.

To configure the RESPONDER with the IP and PORT of the RESPONDER:
(config)#ip sla  monitor responder

Make sure you configure the CLIENT device in accordance with these defined parameters:
(config)#ip sla monitor 10
(config-sla-monitor)#type udpEcho dest-ipaddr dest-port 500
(config-sla-monitor-udp)#frequency 5 <- IN SECONDS
(config-sla-monitor-udp)#hours-of-statistics-kept 1 <-HOW MUCH TIME THE STATISCICS ARE KEPT

PBR - Policy Based Routing

!!!Most Important: To DEBUG the Policy Map:
#debug ip policy

To match the SOURCE IP use the standard ACL:
(config)#access-list 2 permit host

To match the FLOW use the EXTENDED ACL:
(config)#ip access-list extended FLOW1
(config-ext-nacl)#permit ip host host <-TO MATCH THE FLOW
(config-ext-nacl)#permit tcp any any eq 23 <- TO MATCH THE PROTOCOL(PORT)

ROUTE-MAP can be applied GLOBALLY on a router, to change the Routing Table:
(config)#ip local policy route-map ROUTE_MAP
!!!This will not work for traffic transiting this router. For that you need to apply it on the interface

IPv6 Tunnels

First a reminder about a IPv4 GRE tunnel, the most simple and GENERIC one.

Configuration is really simple, create the Tunnel interface, define the MODE and assign the Source and Destination IP or Interface:
(Config)#Interface tunnel
(Config-if)#tunnel mode GRE IP
(Config-if)# tunnel source IP
(Config-if)#tunnel destination IP

Then define the GRE tunnel IP (needs to be in the same subnet on the both sides):
(Config-if)#ip address
By default GRE keep-alives are off, butt they can be turned on

Now the IPv6. There are 4 types of IPv6 Tunnels:

1. IPv6 over IPv6 GRE tunnel, the configuration similar as the IPv4 one:
(Config-tunnel)#tunnel source lo0
(Config-tunnel)#tunnel destination
(Config)#interface tunnel0
(Config-if)#ipv6 add 1:1:1:1::1/64

2. IPv6 over IPv6IP Tunnel
3. IPv6 over IPv4 UDP Teredo Tunnel
4. IPv4 over IPv6 GRE Tunnel

AUTOMATIC Tunnels: 6to4 (IPv4 into IPv6 prefix), ISATAP - have a standard format of the I…


The difference with OSPF is that even if you configure it on the interface:
(config-if)#ipv6 eigrp 100
it will not form an adjacency unless you DEFINE THE ROUTER-ID, and do a NO SHUT:
(config-rtr)#eigrp router-id
*Dec  1 11:18:08.343: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::4 (Serial1/0.14) is up: new adjacency

(config-rtr)#no redistribute ospf 1  metric 1 1 1 1 1

To change the timers on the interface the command is a bit BACKWARDS, as in - "" ipv6 hello-interval eigrp..":
(config-if)#ipv6 hello-time eigrp 100 10 <-HELLO
(config-if)#ipv6 hold-time eigrp 100 40 <-DEAD

The command for checking the current timers is also unintuitive, cause you need to add "details" to the end:
#sh ipv6 eigrp interfaces detail  | i Hello
  Hello-interval is 10, Hold-time is 40
  Hello-interval is 60…


If you control OSPFv2 (IPv4 OSPF) wou wont have any problems here. There are, however, a few differences in the configuration. First one - it's configured on the INTERFACE LEVEL, and the Area is also defined there, so there is no need to add the "network" commands within the Router configuration:
(config-if)#ipv6 ospf 1 area 0

!!!Dont forget to define the router-id, because if there are no IPv4 addresses on the router - it cannot pick one! So - FIRST define the RID, and THEN configure OSPF, to avoid restarting the OSPF process later.

LSA Changes: Even though most LSA definitions stay the same, there are a few changes in OSPFv3:

0x2001Router LSA1Router LSA
0x2002Network LSA2Network LSA
0x2003Inter-area Prefix LSA3Network Summary LSA
0x2004Inter-area Router LSA4ASBR Summary LSA
0x4005AS-External LSA5AS-External LSA
0x2006Group Membership LSA6Group Membership LSA
0x2007Type-7 LSA7NSSA External LSA
0x0008Link LSA
0x2009Intra-area Prefix LSA

*If you want an area not to recei…